Arcola
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Mark Radbourne
Embed:
(wiki syntax)
Show/hide line numbers
x509_crt.h
Go to the documentation of this file.
00001 /** 00002 * \file x509_crt.h 00003 * 00004 * \brief X.509 certificate parsing and writing 00005 * 00006 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00007 * SPDX-License-Identifier: Apache-2.0 00008 * 00009 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00010 * not use this file except in compliance with the License. 00011 * You may obtain a copy of the License at 00012 * 00013 * http://www.apache.org/licenses/LICENSE-2.0 00014 * 00015 * Unless required by applicable law or agreed to in writing, software 00016 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00017 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00018 * See the License for the specific language governing permissions and 00019 * limitations under the License. 00020 * 00021 * This file is part of mbed TLS (https://tls.mbed.org) 00022 */ 00023 #ifndef MBEDTLS_X509_CRT_H 00024 #define MBEDTLS_X509_CRT_H 00025 00026 #if !defined(MBEDTLS_CONFIG_FILE) 00027 #include "config.h" 00028 #else 00029 #include MBEDTLS_CONFIG_FILE 00030 #endif 00031 00032 #include "x509.h" 00033 #include "x509_crl.h" 00034 00035 /** 00036 * \addtogroup x509_module 00037 * \{ 00038 */ 00039 00040 #ifdef __cplusplus 00041 extern "C" { 00042 #endif 00043 00044 /** 00045 * \name Structures and functions for parsing and writing X.509 certificates 00046 * \{ 00047 */ 00048 00049 /** 00050 * Container for an X.509 certificate. The certificate may be chained. 00051 */ 00052 typedef struct mbedtls_x509_crt 00053 { 00054 mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ 00055 mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ 00056 00057 int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ 00058 mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ 00059 mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ 00060 00061 mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ 00062 mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ 00063 00064 mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ 00065 mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ 00066 00067 mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ 00068 mbedtls_x509_time valid_to; /**< End time of certificate validity. */ 00069 00070 mbedtls_pk_context pk; /**< Container for the public key context. */ 00071 00072 mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ 00073 mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ 00074 mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ 00075 mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ 00076 00077 int ext_types; /**< Bit string containing detected and parsed extensions */ 00078 int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ 00079 int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ 00080 00081 unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ 00082 00083 mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ 00084 00085 unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ 00086 00087 mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ 00088 mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ 00089 mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ 00090 void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ 00091 00092 struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ 00093 } 00094 mbedtls_x509_crt; 00095 00096 /** 00097 * Build flag from an algorithm/curve identifier (pk, md, ecp) 00098 * Since 0 is always XXX_NONE, ignore it. 00099 */ 00100 #define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) ) 00101 00102 /** 00103 * Security profile for certificate verification. 00104 * 00105 * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG(). 00106 */ 00107 typedef struct 00108 { 00109 uint32_t allowed_mds; /**< MDs for signatures */ 00110 uint32_t allowed_pks; /**< PK algs for signatures */ 00111 uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ 00112 uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ 00113 } 00114 mbedtls_x509_crt_profile; 00115 00116 #define MBEDTLS_X509_CRT_VERSION_1 0 00117 #define MBEDTLS_X509_CRT_VERSION_2 1 00118 #define MBEDTLS_X509_CRT_VERSION_3 2 00119 00120 #define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32 00121 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15 00122 00123 #if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN ) 00124 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 00125 #endif 00126 00127 /** 00128 * Container for writing a certificate (CRT) 00129 */ 00130 typedef struct mbedtls_x509write_cert 00131 { 00132 int version; 00133 mbedtls_mpi serial; 00134 mbedtls_pk_context *subject_key; 00135 mbedtls_pk_context *issuer_key; 00136 mbedtls_asn1_named_data *subject; 00137 mbedtls_asn1_named_data *issuer; 00138 mbedtls_md_type_t md_alg; 00139 char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00140 char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; 00141 mbedtls_asn1_named_data *extensions; 00142 } 00143 mbedtls_x509write_cert; 00144 00145 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00146 /** 00147 * Default security profile. Should provide a good balance between security 00148 * and compatibility with current deployments. 00149 */ 00150 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default; 00151 00152 /** 00153 * Expected next default profile. Recommended for new deployments. 00154 * Currently targets a 128-bit security level, except for RSA-2048. 00155 */ 00156 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next; 00157 00158 /** 00159 * NSA Suite B profile. 00160 */ 00161 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb; 00162 00163 /** 00164 * \brief Parse a single DER formatted certificate and add it 00165 * to the chained list. 00166 * 00167 * \param chain points to the start of the chain 00168 * \param buf buffer holding the certificate DER data 00169 * \param buflen size of the buffer 00170 * 00171 * \return 0 if successful, or a specific X509 or PEM error code 00172 */ 00173 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf, 00174 size_t buflen ); 00175 00176 /** 00177 * \brief Parse one or more certificates and add them 00178 * to the chained list. Parses permissively. If some 00179 * certificates can be parsed, the result is the number 00180 * of failed certificates it encountered. If none complete 00181 * correctly, the first error is returned. 00182 * 00183 * \param chain points to the start of the chain 00184 * \param buf buffer holding the certificate data in PEM or DER format 00185 * \param buflen size of the buffer 00186 * (including the terminating null byte for PEM data) 00187 * 00188 * \return 0 if all certificates parsed successfully, a positive number 00189 * if partly successful or a specific X509 or PEM error code 00190 */ 00191 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ); 00192 00193 #if defined(MBEDTLS_FS_IO) 00194 /** 00195 * \brief Load one or more certificates and add them 00196 * to the chained list. Parses permissively. If some 00197 * certificates can be parsed, the result is the number 00198 * of failed certificates it encountered. If none complete 00199 * correctly, the first error is returned. 00200 * 00201 * \param chain points to the start of the chain 00202 * \param path filename to read the certificates from 00203 * 00204 * \return 0 if all certificates parsed successfully, a positive number 00205 * if partly successful or a specific X509 or PEM error code 00206 */ 00207 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ); 00208 00209 /** 00210 * \brief Load one or more certificate files from a path and add them 00211 * to the chained list. Parses permissively. If some 00212 * certificates can be parsed, the result is the number 00213 * of failed certificates it encountered. If none complete 00214 * correctly, the first error is returned. 00215 * 00216 * \param chain points to the start of the chain 00217 * \param path directory / folder to read the certificate files from 00218 * 00219 * \return 0 if all certificates parsed successfully, a positive number 00220 * if partly successful or a specific X509 or PEM error code 00221 */ 00222 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ); 00223 #endif /* MBEDTLS_FS_IO */ 00224 00225 /** 00226 * \brief Returns an informational string about the 00227 * certificate. 00228 * 00229 * \param buf Buffer to write to 00230 * \param size Maximum size of buffer 00231 * \param prefix A line prefix 00232 * \param crt The X509 certificate to represent 00233 * 00234 * \return The length of the string written (not including the 00235 * terminated nul byte), or a negative error code. 00236 */ 00237 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, 00238 const mbedtls_x509_crt *crt ); 00239 00240 /** 00241 * \brief Returns an informational string about the 00242 * verification status of a certificate. 00243 * 00244 * \param buf Buffer to write to 00245 * \param size Maximum size of buffer 00246 * \param prefix A line prefix 00247 * \param flags Verification flags created by mbedtls_x509_crt_verify() 00248 * 00249 * \return The length of the string written (not including the 00250 * terminated nul byte), or a negative error code. 00251 */ 00252 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, 00253 uint32_t flags ); 00254 00255 /** 00256 * \brief Verify the certificate signature 00257 * 00258 * The verify callback is a user-supplied callback that 00259 * can clear / modify / add flags for a certificate. If set, 00260 * the verification callback is called for each 00261 * certificate in the chain (from the trust-ca down to the 00262 * presented crt). The parameters for the callback are: 00263 * (void *parameter, mbedtls_x509_crt *crt, int certificate_depth, 00264 * int *flags). With the flags representing current flags for 00265 * that specific certificate and the certificate depth from 00266 * the bottom (Peer cert depth = 0). 00267 * 00268 * All flags left after returning from the callback 00269 * are also returned to the application. The function should 00270 * return 0 for anything (including invalid certificates) 00271 * other than fatal error, as a non-zero return code 00272 * immediately aborts the verification process. For fatal 00273 * errors, a specific error code should be used (different 00274 * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not 00275 * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR 00276 * can be used if no better code is available. 00277 * 00278 * \note In case verification failed, the results can be displayed 00279 * using \c mbedtls_x509_crt_verify_info() 00280 * 00281 * \note Same as \c mbedtls_x509_crt_verify_with_profile() with the 00282 * default security profile. 00283 * 00284 * \note It is your responsibility to provide up-to-date CRLs for 00285 * all trusted CAs. If no CRL is provided for the CA that was 00286 * used to sign the certificate, CRL verification is skipped 00287 * silently, that is *without* setting any flag. 00288 * 00289 * \param crt a certificate (chain) to be verified 00290 * \param trust_ca the list of trusted CAs 00291 * \param ca_crl the list of CRLs for trusted CAs (see note above) 00292 * \param cn expected Common Name (can be set to 00293 * NULL if the CN must not be verified) 00294 * \param flags result of the verification 00295 * \param f_vrfy verification function 00296 * \param p_vrfy verification parameter 00297 * 00298 * \return 0 (and flags set to 0) if the chain was verified and valid, 00299 * MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified 00300 * but found to be invalid, in which case *flags will have one 00301 * or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX 00302 * flags set, or another error (and flags set to 0xffffffff) 00303 * in case of a fatal error encountered during the 00304 * verification process. 00305 */ 00306 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, 00307 mbedtls_x509_crt *trust_ca, 00308 mbedtls_x509_crl *ca_crl, 00309 const char *cn, uint32_t *flags, 00310 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00311 void *p_vrfy ); 00312 00313 /** 00314 * \brief Verify the certificate signature according to profile 00315 * 00316 * \note Same as \c mbedtls_x509_crt_verify(), but with explicit 00317 * security profile. 00318 * 00319 * \note The restrictions on keys (RSA minimum size, allowed curves 00320 * for ECDSA) apply to all certificates: trusted root, 00321 * intermediate CAs if any, and end entity certificate. 00322 * 00323 * \param crt a certificate (chain) to be verified 00324 * \param trust_ca the list of trusted CAs 00325 * \param ca_crl the list of CRLs for trusted CAs 00326 * \param profile security profile for verification 00327 * \param cn expected Common Name (can be set to 00328 * NULL if the CN must not be verified) 00329 * \param flags result of the verification 00330 * \param f_vrfy verification function 00331 * \param p_vrfy verification parameter 00332 * 00333 * \return 0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED 00334 * in which case *flags will have one or more 00335 * MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags 00336 * set, 00337 * or another error in case of a fatal error encountered 00338 * during the verification process. 00339 */ 00340 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, 00341 mbedtls_x509_crt *trust_ca, 00342 mbedtls_x509_crl *ca_crl, 00343 const mbedtls_x509_crt_profile *profile, 00344 const char *cn, uint32_t *flags, 00345 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 00346 void *p_vrfy ); 00347 00348 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 00349 /** 00350 * \brief Check usage of certificate against keyUsage extension. 00351 * 00352 * \param crt Leaf certificate used. 00353 * \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT 00354 * before using the certificate to perform an RSA key 00355 * exchange). 00356 * 00357 * \note Except for decipherOnly and encipherOnly, a bit set in the 00358 * usage argument means this bit MUST be set in the 00359 * certificate. For decipherOnly and encipherOnly, it means 00360 * that bit MAY be set. 00361 * 00362 * \return 0 is these uses of the certificate are allowed, 00363 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension 00364 * is present but does not match the usage argument. 00365 * 00366 * \note You should only call this function on leaf certificates, on 00367 * (intermediate) CAs the keyUsage extension is automatically 00368 * checked by \c mbedtls_x509_crt_verify(). 00369 */ 00370 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, 00371 unsigned int usage ); 00372 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */ 00373 00374 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00375 /** 00376 * \brief Check usage of certificate against extentedJeyUsage. 00377 * 00378 * \param crt Leaf certificate used. 00379 * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). 00380 * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). 00381 * 00382 * \return 0 if this use of the certificate is allowed, 00383 * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. 00384 * 00385 * \note Usually only makes sense on leaf certificates. 00386 */ 00387 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, 00388 const char *usage_oid, 00389 size_t usage_len ); 00390 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ 00391 00392 #if defined(MBEDTLS_X509_CRL_PARSE_C) 00393 /** 00394 * \brief Verify the certificate revocation status 00395 * 00396 * \param crt a certificate to be verified 00397 * \param crl the CRL to verify against 00398 * 00399 * \return 1 if the certificate is revoked, 0 otherwise 00400 * 00401 */ 00402 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ); 00403 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 00404 00405 /** 00406 * \brief Initialize a certificate (chain) 00407 * 00408 * \param crt Certificate chain to initialize 00409 */ 00410 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ); 00411 00412 /** 00413 * \brief Unallocate all certificate data 00414 * 00415 * \param crt Certificate chain to free 00416 */ 00417 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ); 00418 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00419 00420 /* \} name */ 00421 /* \} addtogroup x509_module */ 00422 00423 #if defined(MBEDTLS_X509_CRT_WRITE_C) 00424 /** 00425 * \brief Initialize a CRT writing context 00426 * 00427 * \param ctx CRT context to initialize 00428 */ 00429 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ); 00430 00431 /** 00432 * \brief Set the verion for a Certificate 00433 * Default: MBEDTLS_X509_CRT_VERSION_3 00434 * 00435 * \param ctx CRT context to use 00436 * \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or 00437 * MBEDTLS_X509_CRT_VERSION_3) 00438 */ 00439 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ); 00440 00441 /** 00442 * \brief Set the serial number for a Certificate. 00443 * 00444 * \param ctx CRT context to use 00445 * \param serial serial number to set 00446 * 00447 * \return 0 if successful 00448 */ 00449 int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ); 00450 00451 /** 00452 * \brief Set the validity period for a Certificate 00453 * Timestamps should be in string format for UTC timezone 00454 * i.e. "YYYYMMDDhhmmss" 00455 * e.g. "20131231235959" for December 31st 2013 00456 * at 23:59:59 00457 * 00458 * \param ctx CRT context to use 00459 * \param not_before not_before timestamp 00460 * \param not_after not_after timestamp 00461 * 00462 * \return 0 if timestamp was parsed successfully, or 00463 * a specific error code 00464 */ 00465 int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, 00466 const char *not_after ); 00467 00468 /** 00469 * \brief Set the issuer name for a Certificate 00470 * Issuer names should contain a comma-separated list 00471 * of OID types and values: 00472 * e.g. "C=UK,O=ARM,CN=mbed TLS CA" 00473 * 00474 * \param ctx CRT context to use 00475 * \param issuer_name issuer name to set 00476 * 00477 * \return 0 if issuer name was parsed successfully, or 00478 * a specific error code 00479 */ 00480 int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, 00481 const char *issuer_name ); 00482 00483 /** 00484 * \brief Set the subject name for a Certificate 00485 * Subject names should contain a comma-separated list 00486 * of OID types and values: 00487 * e.g. "C=UK,O=ARM,CN=mbed TLS Server 1" 00488 * 00489 * \param ctx CRT context to use 00490 * \param subject_name subject name to set 00491 * 00492 * \return 0 if subject name was parsed successfully, or 00493 * a specific error code 00494 */ 00495 int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, 00496 const char *subject_name ); 00497 00498 /** 00499 * \brief Set the subject public key for the certificate 00500 * 00501 * \param ctx CRT context to use 00502 * \param key public key to include 00503 */ 00504 void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00505 00506 /** 00507 * \brief Set the issuer key used for signing the certificate 00508 * 00509 * \param ctx CRT context to use 00510 * \param key private key to sign with 00511 */ 00512 void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ); 00513 00514 /** 00515 * \brief Set the MD algorithm to use for the signature 00516 * (e.g. MBEDTLS_MD_SHA1) 00517 * 00518 * \param ctx CRT context to use 00519 * \param md_alg MD algorithm to use 00520 */ 00521 void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ); 00522 00523 /** 00524 * \brief Generic function to add to or replace an extension in the 00525 * CRT 00526 * 00527 * \param ctx CRT context to use 00528 * \param oid OID of the extension 00529 * \param oid_len length of the OID 00530 * \param critical if the extension is critical (per the RFC's definition) 00531 * \param val value of the extension OCTET STRING 00532 * \param val_len length of the value data 00533 * 00534 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00535 */ 00536 int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, 00537 const char *oid, size_t oid_len, 00538 int critical, 00539 const unsigned char *val, size_t val_len ); 00540 00541 /** 00542 * \brief Set the basicConstraints extension for a CRT 00543 * 00544 * \param ctx CRT context to use 00545 * \param is_ca is this a CA certificate 00546 * \param max_pathlen maximum length of certificate chains below this 00547 * certificate (only for CA certificates, -1 is 00548 * inlimited) 00549 * 00550 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00551 */ 00552 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, 00553 int is_ca, int max_pathlen ); 00554 00555 #if defined(MBEDTLS_SHA1_C) 00556 /** 00557 * \brief Set the subjectKeyIdentifier extension for a CRT 00558 * Requires that mbedtls_x509write_crt_set_subject_key() has been 00559 * called before 00560 * 00561 * \param ctx CRT context to use 00562 * 00563 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00564 */ 00565 int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx ); 00566 00567 /** 00568 * \brief Set the authorityKeyIdentifier extension for a CRT 00569 * Requires that mbedtls_x509write_crt_set_issuer_key() has been 00570 * called before 00571 * 00572 * \param ctx CRT context to use 00573 * 00574 * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED 00575 */ 00576 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ); 00577 #endif /* MBEDTLS_SHA1_C */ 00578 00579 /** 00580 * \brief Set the Key Usage Extension flags 00581 * (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN) 00582 * 00583 * \param ctx CRT context to use 00584 * \param key_usage key usage flags to set 00585 * 00586 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00587 */ 00588 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, 00589 unsigned int key_usage ); 00590 00591 /** 00592 * \brief Set the Netscape Cert Type flags 00593 * (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL) 00594 * 00595 * \param ctx CRT context to use 00596 * \param ns_cert_type Netscape Cert Type flags to set 00597 * 00598 * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED 00599 */ 00600 int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, 00601 unsigned char ns_cert_type ); 00602 00603 /** 00604 * \brief Free the contents of a CRT write context 00605 * 00606 * \param ctx CRT context to free 00607 */ 00608 void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ); 00609 00610 /** 00611 * \brief Write a built up certificate to a X509 DER structure 00612 * Note: data is written at the end of the buffer! Use the 00613 * return value to determine where you should start 00614 * using the buffer 00615 * 00616 * \param ctx certificate to write away 00617 * \param buf buffer to write to 00618 * \param size size of the buffer 00619 * \param f_rng RNG function (for signature, see note) 00620 * \param p_rng RNG parameter 00621 * 00622 * \return length of data written if successful, or a specific 00623 * error code 00624 * 00625 * \note f_rng may be NULL if RSA is used for signature and the 00626 * signature is made offline (otherwise f_rng is desirable 00627 * for countermeasures against timing attacks). 00628 * ECDSA signatures always require a non-NULL f_rng. 00629 */ 00630 int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00631 int (*f_rng)(void *, unsigned char *, size_t), 00632 void *p_rng ); 00633 00634 #if defined(MBEDTLS_PEM_WRITE_C) 00635 /** 00636 * \brief Write a built up certificate to a X509 PEM string 00637 * 00638 * \param ctx certificate to write away 00639 * \param buf buffer to write to 00640 * \param size size of the buffer 00641 * \param f_rng RNG function (for signature, see note) 00642 * \param p_rng RNG parameter 00643 * 00644 * \return 0 if successful, or a specific error code 00645 * 00646 * \note f_rng may be NULL if RSA is used for signature and the 00647 * signature is made offline (otherwise f_rng is desirable 00648 * for countermeasures against timing attacks). 00649 * ECDSA signatures always require a non-NULL f_rng. 00650 */ 00651 int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, 00652 int (*f_rng)(void *, unsigned char *, size_t), 00653 void *p_rng ); 00654 #endif /* MBEDTLS_PEM_WRITE_C */ 00655 #endif /* MBEDTLS_X509_CRT_WRITE_C */ 00656 00657 #ifdef __cplusplus 00658 } 00659 #endif 00660 00661 #endif /* mbedtls_x509_crt.h */
Generated on Tue Jul 12 2022 17:25:44 by
1.7.2